Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

IoT Insecurity: Pinpointing the Problems

The Internet of Things today faces many challenges and obstacles as it matures, including concerns around security and privacy.

It’s a coin toss whether or not that Internet of Things device you depend on is secure. Those unacceptable 50/50 odds come from a survey by IOActive where technology professionals were asked about the security of connected devices from thermostats, security cameras to alarm systems.

Those numbers may be hard to swallow, but recent headlines concerning connected devices, sensors and controls – ranging from SCADA, IoT and M2M – suggests that what might seem like chicken-little opinions about IoT security may not be too far from the reality.

A study by HP’s security unit Fortify found that 70 percent of popular consumer IoT devices are easily hackable. When Kaspersky Lab examined industrial controls systems exposed to the Shodan search engine it found seven percent of 172,982 ICS components vulnerable to attack had “critical” issues.

“On the IoT continuum we are about 15 percent in,” said Chris Poulin, research strategist, IBM X-Force Security. “A common refrain from the business is ‘I don’t know what I don’t know’ when it comes to IoT security. The industry is evolving. To some extent we are just trying to figure out what’s a real threat and what is fear, uncertainty, and doubt.”

Experts however do find consensus on common IoT security issues centered around lack of standards and protocols, an inability to update device firmware, and lack of security when it comes to data transport encryption and secure web interfaces.

Can’t Update

The problem is we are rushing to deploy insecure products to support business needs, and then deciding that we need security, said Christopher Conrad, practice manager, critical infrastructure at NSS Labs. “These products should have the security baked in, not bolted on,” Conrad said.

Some of the simplest IoT devices (or machine-to-machine) devices lack adequate processing power and storage to host endpoint security software. They are real-time OS’s which do not offer support for a wide variety of endpoint protection products.

The list of IoT products without the ability to have firmware updated with security protection is long. Recent headlines bear that out and range from malware vulnerabilities found on EZCast media streamers, CCTV cameras enlisted for DDoS attacks and web-based SCADA systems vulnerable to man-in-the-middle attacks.

In May, ICS-CERT warned that an industrial IoT device made by Environmental Systems Corporation (ESC) used by the energy sector for environmental monitoring was vulnerable to attacks (CVE-2016-4501 and CVE-2016-4502). Worse, it said that security vulnerabilities couldn’t be fixed because they lacked the ability to be updated.

The vulnerabilities, found by security researcher Maxim Rupp, were tied to ESC’s 8832 Data Controller, a device that “has no available code space to make any additional security patches; so, a firmware update is not possible,” according to ICS-CERT.

IoT security challenges include a lack of industry long-term support and a patching solution for internet-connected devices that need to be updated and maintained for years to come. Example: How long does Samsung support its IoT smart fridge with security updates?

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.